Skip to content
Snippets Groups Projects
Commit abb3a2b0 authored by Jaime Pérez Crespo's avatar Jaime Pérez Crespo
Browse files

Allow standard ports when evaluating trusted URLs.

If a standard port is specified, then ignore it. Otherwise, include the port in the check so that non-standard ports must be whitelisted explicitly.
parent ef5677fb
No related branches found
No related tags found
No related merge requests found
......@@ -323,8 +323,15 @@ class HTTP
// validates the URL's host is among those allowed
if (is_array($trustedSites)) {
assert(is_array($trustedSites));
preg_match('@^https?://([^/]+)@i', $url, $matches);
$hostname = $matches[1];
preg_match('@^http(s?)://([^/:]+)((?::\d+)?)@i', $url, $matches);
$hostname = $matches[2];
// allow URLs with standard ports specified (non-standard ports must then be allowed explicitly)
if (!empty($matches[3]) &&
(($matches[1] === '' && $matches[3] !== ':80') || ($matches[1]) === 's' && $matches[3] !== ':443')
) {
$hostname = $hostname.$matches[3];
}
$self_host = self::getSelfHostWithNonStandardPort();
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment